Sunday, February 10, 2008

The Dogs of Web War

The Dogs of Web War

By Rebecca GrantAfter years of claims and counterclaims concerning the severity of national security threats in cyberspace, the picture is at last starting to become clear. Recent jousting within cyberspace has provided clues about what to expect from combat in this new domain.

EXCERPTed:

The new Cyber Command will focus dedicated attention to the problem. Elder and others are working to lay the foundation for a cyberspace career path in the Air Force on a par with those for weapons systems and specialties. "We're looking to set up a professional cadre of cyber operators, and this would be enlisted and officer," Elder said.

Investing now in survivability should help keep down the costs of buying new technology. A prime system is the Combat Information Transport System Block 30. "This is a system that is reducing our exposure to the commercial Internet," said Elder. "It's providing us much greater situational awareness in terms of being able to track the traffic on our networks.

( SURVIVABILITY? ? ?...I am aghast. The main mode of handling the cyber threat is "SURVIVABILITY". While this is crucial, its a poor paradigm. The Marines don't have as their main paradigm DEFENSE. THE main paradigm should be offensive. KILL THE ATTACKERS. G. )

Already, however, Cartwright hinted at a greater freedom of action in the cyberspace commons. "Once you leave our shores, then the military authorities start to be present, and what we do is layer the defenses out as best we can to get the most warning, situation awareness that we can to protect our interests," he said.

Given the constant probing, investing in survivability is a big priority. The cyber balance of power is "the most dynamic world we've ever seen," said a senior STRATCOM official. Software security fixes may just last for hours.

( NOTHING ABOUT OFFENSIVE CAPABILITIES, DESTROYING THE ATTACKERS WEAPON, THEIR server/PC. FOCUS IS NOT DEVELOPED YET. G )

Investment will fund software tools to track vulnerabilities "before the hackers find them," said Elder, and insulate them with database wrappers that create portals to block incursions. The Air Force is also investing in extensive database encryption—a proven technique. "It's just much more difficult for someone to fool with your system when the data's encrypted," Elder said.Yet it may take an increased sense of strategic threat to force clarification of the cyberspace mission.

Currently, there are classic divides. The intelligence community uses cyberspace in its tradecraft. Yet there is growing demand for operators to be able to exploit the same turf.

Also yet to be determined is how much traction the Air Force is getting with its commitment to cyberspace.

( NOT MUCH TRACTION, GWOT HAS BEEN IN EFFECT FOR 6 YRS AND AIR FORCE DOESN'T EVEN HAVE ACTIVE CYBERWAR, WEB PAGE OR ACTIVE RSS FEEDS FOR THE WWW SERVICE, NAVY ( NNIC ) IS WAY AHEAD ON OSINT AND ITS VALUE/CAPABILITIES. They have a web page but I can't get into, no sec. clearance, which is ok, and no public face. G )

US armed forces face "peer" adversaries in only one area—military cyberspace. ( NOT )

More than ever before, cyberspace is on the minds of America's top leaders. Air Force Gen. Kevin P. Chilton, the new head of US Strategic Command, said during his confirmation hearing that "attacks impacting our freedom to operate in space and cyberspace pose serious strategic threats."

Defending the nation from cyberspace attacks is STRATCOM's mission—but one of the big challenges is assessing the strategic threat and demarcating lines of response.

It all begins with knowing the adversary. China is at the top of most lists of nations with advanced cyber capability—and the will to use it. ( The RBN has more advanced capabilities, G )

Because of the overall tenor of military competition with China, every report of Chinese activity raises hackles. In fact, there's been a steady level of reported skirmishing in cyberspace this decade.

Tactic No. 1 is near-constant pressure on US government systems. The goal of these attacks is to breach systems and leave behind malicious code capable of redirecting network activity or enabling access to stored data—to change it or steal it. "Cyber is all about 'protect it or steal it,'" Lt. Gen. Robert J. Elder Jr., commander of 8th Air Force and USAF's point man on cyber issues, said last year.

"Estonia was kind of a wake-up call," said Marine Corps Gen. James E. Cartwright, vice chairman of the Joint Chiefs of Staff and previous head of STRATCOM. "We've got to make sure we have situation awareness at a scale commensurate with our equities."

All doubt about Chinese culpability in these sorts of attacks vanished shortly after Russia's likely assault on Estonia. Pentagon sources acknowledged that a Chinese attack broke into an unclassified e-mail system used by the Office of the Secretary of Defense in June 2007. As reported by the Financial Times, the Pentagon attributed the attacks not only to Chinese server locations but to the People's Liberation Army itself.

Air Force Lt. Gen. Daniel P. Leaf, deputy commander at US Pacific Command, told the Washington Times in November 2007 that computer attacks were a growing problem. "We're very concerned about that—for the information that may be contained on [the networks] or for the activities we conduct that are command and control and situation awareness related," he said.

The attacks are of interest not for their fleeting effects—but for what they suggest about adversary intent, evolving capabilities, and the potential for debilitating breaches.

( I WANT TO HEAR COMPLAINTS FROM ATTACKERS ABOUT PC HARD DRIVES/SERVERS BEING DESTROYED, ABOUT THE USA MILITARY HARSH DEALINGS WITH HACKERS, G )

"China has put a lot of resources into this business," said Elder. Communist China's public doctrine calls for dominating the five domains of air, land, sea, space, and the electromagnetic spectrum. Although "they're the only nation that's been quite that blatant," Elder said, "they're not our only peer adversary."

The Air Force has recently taken bold action in this regard. In 2005, it elevated cyberspace to a level on par with air and space, when cyberspace was added to USAF's mission statement.Marine Corps Gen. James Cartwright (l) meets with USAF Lt. Gen. Robert Elder for a status brief on issues including the stand-up of Cyberspace Command.

Rules of Engagement ( NONE )Elder himself oversaw the service's cyberwar capabilities during the time when the mission was being reinforced by the creation of a new Cyber Command, the Air Force's 10th major command.

A larger policy problem rests with calibrating cyberspace operations to a scale of legitimate action. Over the last decade, rules of engagement for kinetic military operations—like targeting a terrorist safehouse in Iraq—have become highly refined.

Theater-level rules of engagement, collateral damage estimation, and positive identification all must be observed before any strike takes place. Rules such as these keep responses proportionate to the political-military goals of an operation. It's a framework familiar to the hundreds of thousands of US troops operating around the world today.

With cyberspace operations, that framework is not so prominent. German Chancellor Angela Merkel said recently that China "must respect a set of game rules."

But what are those rules, and what constitutes a breach? Connecting cyberspace activities to the geographical norms of international politics is no easy task.

( YES IT IS, IF AN ATTACK COMES FROM XYZ SERVER, TAKE IT DOWN, USA HAS A RIGHT TO SELF DEFENSE, IF A SERVER HAS POOR SECURITY, AND IS COMPROMISED,USED FOR AN ATTACK, USA STILL HAS A RIGHT TO SELF DEFENSE, AND THE RIGHT TO TAKE OUT THE ATTACKING SERVER OR PC. WHICH WILL ALSO FORCE OWNERS OF THE SERVERS TO USE GOOD SECURITY AND VET USERS. G )

For centuries, most international law has depended on the concept of sovereign borders and sovereign rights of states to gauge legitimacy. Everything from the Geneva Convention to the law of armed conflict is predicated on most offenses taking place between—or within—sovereign states. Rules of war also take for granted that events occur at a physical location tracing back to a nation-state.

It is easy to tell when a state is using tanks or artillery against its neighbors or its own populace. With cyber attacks, it's unclear when and whether the state is involved.

( DOESN'T MATTER, IF IT IS STATE SPONSORED OR NOT, AN ATTACK IS AN ATTACK, USA HAS A RIGHT TO SELF DEFENSE. POLICE ARE NOT CONCERNED ABOUT OWNERSHIP OF A BUILDING A SNIPER IS IN, THEY TAKE OUT THE THREAT. G )

Tracing attacks back to the originating Internet service provider does yield a physical location. (Cyberspace is projected from a physical infrastructure of servers, routers, and computers that have definite and sovereign physical locations.) However, cyberspace exists in a domain deemed independent of the nation-state.

What's harder to establish is whether people conducting the attacks are hackers working on their own or at a government's behest. If a computer remotely "occupied" by hackers traces a physical location to China, that is not necessarily evidence that China is behind the scheme. The ambiguity works both ways, however. If China is behind an attack, it has built-in deniability.Estonian police use tear gas and truncheons to disperse a crowd protesting the removal of a bronze statue of a Russian soldier from the center of the capital city. The clash resulted in a massive cyber attack on government and private Web sites.

A Fundemental Question"In this environment it's just very difficult to tell the point of origin," said Cartwright. "The source of the activity can be widely separated. Al Qaeda can live on a US ISP and execute from someplace else. How do we handle that?"

( TAKE OUT THE ATTACKING SERVER OR PC, THIS WILL IN THE LONG RUN HELP SERVICE PROVIDERS EXPAND SECURITY, FROM A BOTTOM LINE VIEW, G )

It boils down to a fundamental question: When does an attack in cyberspace become a de jure attack? Even in the case of Estonia, protected by NATO's collective defense principle, the proper response to last spring's attack was open to debate.

( THERE WAS AN ATTACK, AND IT WAS TRACED TO SPECIFIC SERVERS, HOWEVER THE PERSONS CAUSING THE ATTACK WERE UNKNOWN, WHY WERE THE SERVERS NOT TAKEN OUT? G)

Still undefined is the proper role for the US military. Inside the United States, legal precedent and direction limits what the military can do. According to Cartwright, "If it's inside the US, if we're to do anything about it, it's got to be on dot.mil" for the military to act. Most classified military networks are self-contained and rarely subject to the same barrage of attacks carried via the Internet.

"If it's outside that and they want the military to do anything about it, then its military support to civil authorities just like we would do with a hurricane or anything else," he explained.

In fact, it's the Department of Homeland Security that houses the key response teams for responding to Internet attack.

Already, however, Cartwright hinted at a greater freedom of action in the cyberspace commons. "Once you leave our shores, then the military authorities start to be present, and what we do is layer the defenses out as best we can to get the most warning, situation awareness that we can to protect our interests," he said.

Given the constant probing, investing in survivability is a big priority. The cyber balance of power is "the most dynamic world we've ever seen," said a senior STRATCOM official. Software security fixes may just last for hours.

Expect to see an impact on Air Force budgets as service leaders fund the new mission. "What we're trying to do in '08 and '09 is to accelerate the programs that are tied to survivability of the Air Force portion of the global information grid," Elder said.

The new Cyber Command will focus dedicated attention to the problem. Elder and others are working to lay the foundation for a cyberspace career path in the Air Force on a par with those for weapons systems and specialties. "We're looking to set up a professional cadre of cyber operators, and this would be enlisted and officer," Elder said.

Investing now in survivability should help keep down the costs of buying new technology. A prime system is the Combat Information Transport System Block 30. "This is a system that is reducing our exposure to the commercial Internet," said Elder. "It's providing us much greater situational awareness in terms of being able to track the traffic on our networks."

Serious money is going to the effort. "Some things we're trying to do with the CITS Block 30, for example, are in the range of half a billion dollars," Elder said.

( WHEN WILL THEY HAVE "RULES OF ENGAGEMENT" ABILITY TO GO ON THE OFFENSIVE? IF ATTACKED USA HAS A RESPONSIBILITY TO TAKE OUT THE ATTACKER. IF A SERVICE PROVIDER LOOSES A SERVER BECAUSE OF POOR SECURITY OR LACK OF OVER SIGHT ON WHOM THEY LET USE THE SERVER, THAT SHOULD NOT DETER USA FROM COUNTER STRIKING AN ATTACKING SERVER. G )

Investment will fund software tools to track vulnerabilities "before the hackers find them," said Elder, and insulate them with database wrappers that create portals to block incursions. The Air Force is also investing in extensive database encryption—a proven technique. "It's just much more difficult for someone to fool with your system when the data's encrypted," Elder said.Yet it may take an increased sense of strategic threat to force clarification of the cyberspace mission.

Currently, there are classic divides. The intelligence community uses cyberspace in its tradecraft. Yet there is growing demand for operators to be able to exploit the same turf.

Creating EffectsMany acknowledge the current US cyberspace strategy is "dysfunctional"—to use Cartwright's term from when he headed STRATCOM. But there's been only tepid enthusiasm for the Air Force's willingness to step up to the growing mission. Ultimately, the Air Force may be recognized as the chief force provider for cyber capabilities. Signs suggest it won't come without a period of debate.

That debate will center first on the logic of cyberspace as a domain. To Air Force planners, the domain aspects have become self-evident. Cyberspace operations include activity to maintain the freedom to attack and freedom from attack in that domain. In fact, counterdomain operations are being defined, too.

As Elder put it, "The better your cyber is, the [more] quickly you can do decision-making, [to] create effects." Degrading and slowing operations—especially to the point where "you can't operate anymore"—creates what Elder termed a "counterdomain effect."

Not all accept cyberspace as a clear-cut domain like air, space, or the sea, however. Cartwright, for one, pointed out that it all turns in part on whether cyberspace is to be treated as a truly separate and co-equal area of warfare. "That's the huge debate," he said. "Should this be a domain or not be a domain?"

( ONLY A TROGLIDITE , WOULD CLAIM THE WEB ISN'T A DOMAIN, I THINK AL QAEDA HAS PROVED THAT HYPOTHESIS. G )

Even as the pace of activity escalates, there's a sense of proceeding carefully. Part of the concern rests with a reluctance to lock in poor solutions.

( "LOCK IN " IS BS FOR LACK OF DECISION MAKING, NOTHING IS LOCKED IN, IT WILL BE TRIAL AND ERROR. G )

Cartwright urged senior leaders to recognize how much there is to learn from the younger generation. "The Joint Staff is an old staff, demographically," he said. "So here we are, in charge of thinking our way through cyber without the 20-somethings."

He warned against putting in place a rigid doctrine for cyberspace that might end up squashing the creative thinking that has always been a hallmark of the domain.

"If we try to use our industrial-age Napoleonic decision structures, are we disadvantaging ourselves?" asked Cartwright. He saw "a lot of cultural issues that far outreach the technical issues and the organizational constructs. What I'm most concerned about is protecting the decision space and the opportunity space of the 20-somethings."

But he stopped well short of handing over the cyber mantle to the Air Force. "Where we are right now, each of the services has found value," Cartwright said. The Air Force is making investments and letting its money "speak about their risk equations. We've got enough time to let that play out."

( EVENTUALLY EACH SERVICE WILL HAVE ITS OWN CYBER FORCE. G )

Rebecca Grant is a contributing editor of Air Force Magazine. She is president of IRIS Independent Research in Washington, D.C., and has worked for RAND, the Secretary of the Air Force, and the Chief of Staff of the Air Force. Grant is a fellow of the Eaker Institute for Aerospace Concepts, the public policy and research arm of the Air Force Association. Her most recent article, "There When it Counts," appeared in the December 2007 issue.

Its just so frustrating to see discussions of fiat acompli like they are NOT.Is the WWW a domain, is something that is self evident, to the InternetI don't want to hear from anyone that doesn't have a PC on his desk, and I suspect there are a lot of general officers that don't , and they should be replaced.

"US armed forces face "peer" adversaries in only one area—military cyberspace." NOT.USA armed forces are 5 years behind, force projection on the www.

This reminds me of, I think it was Doolittle, that exposed the air as a domain by bombing some battle ships to the bottom of the sea, to show air as force projection.

Hell: there is a new www WMD and we are still discussing if its a "domain" we are 5 years behind.

The same logic that applies to coastal defenses applies to server and net defenses.Offense not defense. ( I'm not saying to drop defenses but we MUST have and use a offensive capability. Right now it takes an ok FROM BUSH, to take down a server.)Would any military service exist with out offensive capabilities?We acting with out rules of engagement on the WWW, USA IS AN EASY,SAFETARGET.If USA used the rules of engagement in Iraq as they use on the WWW, USA would have surrendered by now.

NSA is hiding all the cool www side arms.Our Intel paradigm on NSA remains confidential, their capabilities boggle the mind.

Gerald

"UPDATE:

US reveals plans to hit back at cyber threats

MY COMMENT IN CAPS.G

Tom Espiner ZDNet.co.uk

Published: 02 Apr 2008 17:27 BST

The US Air Force Cyber Command is developing capabilities to inflict denial of service, confidential data loss, data manipulation, and system integrity loss on its adversaries, and to combine these with physical attacks, according to a senior US general.

Air Force Cyber Command (AFCYBER), a US military unit set up in September 2007 to fight in cyberspace, is due to become fully operational in the autumn under the aegis of the US Eighth Air Force. Lieutenant general Robert J Elder, Jr, who commands the Eighth Air Force's Barksdale base, told ZDNet.co.uk at the Cyber Warfare Conference 2008 that Air Force is interested in developing its capabilities to attack enemy forces as well as defend critical national infrastructure.

"Offensive cyberattacks in network warfare make kinetic attacks more effective, [for example] if we take out an adversary's integrated defence systems or weapons systems," said Elder. "This is exploiting cyber to achieve our objectives."

However, this is a double-edged sword, as adversaries will also attempt to develop similar capabilities, especially considering the US military's heavy use of technology, said Elder.

NOW THIS IS A ONE EDGED SWORD, THEY MAY HAVE THAT CAPABILITY, USA DOES NOT AND WOULD NEED BUSH'S OK TO ENGAGE. G

"Terrorists and criminals are doing the same thing. We depend so heavily as a military on the use of cyber, we have to be cautious about it," said Elder. "Cyber gives us a huge advantage but adversaries look at our capabilities and see areas they can undermine. We need to protect our asymmetric advantage — on the one hand by having people further exploit cyber, and on the other by having mission assurance."

This problem is made more pressing by the military's reliance on the public internet to perpetrate cyberattacks. The infrastructure the US military uses to both launch and defend against cyberattacks runs through the public internet system. Military networks such as the Global Information Grid are linked to US government and critical national infrastructure systems, which in turn are linked to the public internet. Adversary systems are subverted by the US military through public channels — however, this also leaves the US military open to attack through the same channels, said Elder.

ELDER IS MISSING A GOOD POINT HERE, IF THE PUBLIC INTERNET SYSTEM IS TAKEN DOWN WHAT HAPPENS TO THE C2 FOR THE MILITARY.G

"The infrastructure on which the Air Force depends is controlled by both military and commercial entities and is vulnerable to attacks and manipulation," said Elder.

Other causes for military concern include possible supply-chain vulnerabilities, where vulnerabilities are introduced into chipsets during manufacturing that an adversary can then exploit, and electronics vulnerabilities.

"We need to make sure chips aren't manipulated — we're worried about information assurance just like everyone else," said Elder.

Other problems being faced by the Cyber Command are centred around different Air Force and military units needing to improve their channels of communication before the autumn.

"We have 10,000 people to do this, but the problem is they are stovepiped," said Elder.

10,000 PEOPLE THEN WHY ARE THERE 5,000 TERROR WEB SITES STILL UP?WHY ARE WE ALLOWING THEIR C2 TO FUCTION ON THE INTERNET?GI HAVE 100 AND WE ARE COMPILING LISTS OF TERROR SITES.MY TROOPS JUST VETTED 700 SITES IN 2 DAYS.G

"Stovepiping" has two complementary meanings. In IT terms it describes information held in separate databases which is difficult to access due to its multiple locations — the UK equivalent term would be "siloed". In intelligence-gathering terms — the Eighth also serves as the US Air Force information operations headquarters — "stovepiping" refers to information which has been passed up the chain of command without undergoing due diligence.

Elder said that, while he was satisfied with AFCYBER's covert operations capabilities and its demonstrable ability to remotely destroy missile defence systems, he wished to further develop its attack capabilities.

"IT people set up traditional IT networks with the idea of making them secure to operate and defend," said Elder. "The traditional security approach is to put up barriers, like firewalls — it's a defence thing — but everyone in an operations network is also part of the [attack] force. We're trying to move away from clandestine operations. We're looking for real physics — a bigger bang resulting in collateral damage."

MOVING AWAY FROM COVERT OR CLANDESTINE OPERATIONS ON THE INTERNETIS THE OPPOSITE OF A FORCE MULTIPLIER. FORCE REDUCER? BAD MOVE.G

For deterrence we have to clearly identify the attacker. We're working on rapid forensics to determine who the adversary is.

WITH BOT NETS I DON'T THINK THIS IS POSSIBLE OR THAT YOU CAN DO IT WITH CURRENT TECHNOLOGY.G

Lieutenant general Robert J Elder, Jr

US Cyber Command also needs to develop the means to quickly pinpoint exactly where an attack is coming from, to be able to retaliate, and also to deter potential attackers.

"We haven't done a good job in the cyber-domain just yet," said Elder. "We have to demonstrate the capability to do [rapid forensics] then message that to our adversaries. For deterrence we have to clearly identify the attacker. We're working on rapid forensics to determine who the adversary is."

MESSAGE THE ADVERSARIES WE KNOW WHO AND WHERE THEY ARE?WOULD YOU DO THIS ON A BATTLE FIELD? THIS IS NUTZ, IT MAKES USA A SAFE TARGET AGAIN, YOU ENABLE THEIR ATTACKS WITH THIS PARADIGM. TAKE THE BASTARDS OUT.GWE ARE UNDER ATTACK. ELDER DOESN'T SEEM TO GET THAT.G

While cyber-espionage was inevitable, said Elder, knowledge of the US military being able to pinpoint the source of cyberattacks could deter assaults on critical national infrastructure that use Supervisory Control And Data Acquisition (Scada) systems.

"We're not going to deter cyber-espionage, but we might be able to deter attacks on Scada networks," said Elder.

As well as developing forensics tools, Cyber Command is also coding tools to check for incursions, including a "Cyber Sidearm", which will monitor activity on the Combat Information Transport System — the US Air Force cyber-network.

A CYBER SIDEARM DOES NOT MONITOR, A SIDEARM DOES DAMAGE, YOU DO NOT HAVE A CYBER SIDEARM IF IT ONLY MONITORS, YOU HAVE A DAMAGE RECORDER NOT A SIDEARM. I HAVE BEEN ISSUING CYBER SIDEARMS TO SELECT TROOPS SINCE MAR 22 IN OUR "C" COMPANY .

"We've been working to get the functionality built — we're supposed to have it in the next couple of months," said Elder.

US Eighth Air Force said it was seeking partnerships with both public- and private-sector organisations to "secure cyberspace". The Department for Homeland Security's Strategy to Secure Cyberspace includes establishing a public-private architecture to gauge and respond to cyberthreats, and increase information-sharing between public- and private-sector organisations and the military.

1 Comments:

USAF & USN do EW and use that as a template for CNO. CND is the easiest to explain to Democrat congresscritters like Waxman. CNA against a non-state actor who is also a campaign contributor won't be tried very often, at least not by Regulars. We will lawfare ourselves out of CNA unless it's in response to an obvious and devastating attack on us.

.gov and .mil CNO is always going to be a bureaucratic, CYA, risk-averse, slow to adapt behemoth.

WE need cyber privateers operating under cyber Letters of Marque allowing them to profit from successful CNE of whoever attacks our networks.